This is a note to let you know that I've just added the patch titled
afs: Fix total-length calculation for multiple-page send
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
afs-fix-total-length-calculation-for-multiple-page-send.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Tue Dec 12 10:32:42 CET 2017
From: David Howells <dhowells@xxxxxxxxxx>
Date: Thu, 2 Nov 2017 15:27:51 +0000
Subject: afs: Fix total-length calculation for multiple-page send
From: David Howells <dhowells@xxxxxxxxxx>
[ Upstream commit 1199db603511d7463d9d3840f96f61967affc766 ]
Fix the total-length calculation in afs_make_call() when the operation
being dispatched has data from a series of pages attached.
Despite the patched code looking like that it should reduce mathematically
to the current code, it doesn't because the 32-bit unsigned arithmetic
being used to calculate the page-offset-difference doesn't correctly extend
to a 64-bit value when the result is effectively negative.
Without this, some FS.StoreData operations that span multiple pages fail,
reporting too little or too much data.
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/afs/rxrpc.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -377,8 +377,17 @@ int afs_make_call(struct in_addr *addr,
*/
tx_total_len = call->request_size;
if (call->send_pages) {
- tx_total_len += call->last_to - call->first_offset;
- tx_total_len += (call->last - call->first) * PAGE_SIZE;
+ if (call->last == call->first) {
+ tx_total_len += call->last_to - call->first_offset;
+ } else {
+ /* It looks mathematically like you should be able to
+ * combine the following lines with the ones above, but
+ * unsigned arithmetic is fun when it wraps...
+ */
+ tx_total_len += PAGE_SIZE - call->first_offset;
+ tx_total_len += call->last_to;
+ tx_total_len += (call->last - call->first - 1) * PAGE_SIZE;
+ }
}
/* create a call */
Patches currently in stable-queue which might be from dhowells@xxxxxxxxxx are
queue-4.14/x.509-reject-invalid-bit-string-for-subjectpublickey.patch
queue-4.14/asn.1-check-for-error-from-asn1_op_end__act-actions.patch
queue-4.14/keys-add-missing-permission-check-for-request_key-destination.patch
queue-4.14/afs-fix-total-length-calculation-for-multiple-page-send.patch
queue-4.14/afs-connect-up-the-cb.probeuuid.patch
queue-4.14/asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
queue-4.14/keys-reject-null-restriction-string-when-type-is-specified.patch
queue-4.14/x.509-fix-comparisons-of-pkey_algo.patch